@taolaw the first issue was seemingly found using a very old release of openjpeg (prior https://github.com/uclouvain/openjpeg/commit/c887df12a38ff1a2721d0c8a93b74fe1d02701a2). Can you please provide a reproducer for this?
@sandromani thanks for the heads-up. [r1825] is indeed a modified version of my patch proposal.
Regarding overflow No. 2. From the Debian bug report: The overflow happens during the following call to memcpy: // convert to strip if(x + tileWidth > width) { src_line = imageRowSize - rowSize; } else { src_line = tileRowSize; } BYTE *src_bits = tileBuffer; BYTE *dst_bits = bits + rowSize; for(int k = 0; k < nrows; k++) { memcpy(dst_bits, src_bits, src_line); src_bits += tileRowSize; dst_bits -= dst_pitch; } This portion of code copies image data from a libTIFF-provided buffer to an internal buffer....
From the Debian bug report: The overflow happens during the following call to memcpy: // convert to strip if(x + tileWidth > width) { src_line = imageRowSize - rowSize; } else { src_line = tileRowSize; } BYTE *src_bits = tileBuffer; BYTE *dst_bits = bits + rowSize; for(int k = 0; k < nrows; k++) { memcpy(dst_bits, src_bits, src_line); src_bits += tileRowSize; dst_bits -= dst_pitch; } This portion of code copies image data from a libTIFF-provided buffer to an internal buffer. The overflow happens...
syntax.c: check for syntax element inconsistencies
sbr_hfadj: sanitize frequency band borders
In can confirm that this issue was a bug in the libTIFF codebase, namely http://bugzilla.maptools.org/show_bug.cgi?id=2500 The reproducer does not declare SamplesPerPixel field, so libTIFF does some guessing to set the correct value. Unfortunately it does not update the SMinSampleValue value, leading to later crash. It was fixed in 739dcd28 (https://gitlab.com/libtiff/libtiff/commit/739dcd28a061738b317c1e9f91029d9cbc157159) You can reproduce the issue by building a pre-739dcd28 libTIFF with asan:...
This is not the way we handle issues in the Debian LTS team. When I can't reproduce a vulnerability, I consider it undetermined as long as I can't prove it isn't affected. When trustworthy people claim to be able to reproduce the issue with the same version as me, I usually consider the package affected and try to reproduce and fix the vulnerability. I opened these bugs because I couldn't find any sign showing that the lame dev team was aware of these cves. If you fix vulnerabilities in your cvs...